Cloud-based scheduling platform FlexBooker suffered a large data breach recently that appears to have affected some 3.7 million people. If you’re one of those people, it would probably be best to act fast and protect your data because reports show the stolen information is currently being shared on some of the internet’s less savory websites.
FlexBooker sells an online scheduling tool that assists with setting up meetings, reservations, and appointments, and its website shows its main clients are an assortment of small businesses—including mechanics, nail salons, dentists, doctors, barbers, gyms, and others.
BleepingComputer reports that the company’s unfortunate data situation was kicked off last month when a denial-of-service attack disrupted the company’s operations just days before Christmas.
“We have been alerted through monitoring analytics that we are experiencing a massive Deep Denial of Service attack,” reads a statement published to FlexBooker’s website on Dec. 23. “This is causing widespread outages of our core application functionality. We are working with AWS now to remedy the situation and cut the attack off as quickly as possible.” The company later revealed in an email to users that some personal data had been compromised as a result of the incident.
Just how much data and what kind? According to the well-known breach website Have I Been Pwned, the number of people affected is 3,756,794—or in the neighborhood of 4 million users. The site further states that the compromised information includes names, phone numbers, email addresses, passwords, and, in some cases, partial credit card information.
To make matters worse, BleepingComputer has reported that the stolen information is now being thrown around on a number of criminal dark web forums. The self-proclaimed perpetrator of the attacks—a group going by the name of “Uawrongteam”—has been sharing links to archived information that is allegedly sourced from the breach.
We reached out to FlexBooker for comment on this story but have not heard back. We’ll update when they respond. If you’re a user and are worried about your data, the best move you could make would be to start with changing your potentially affected password and then further assess the damage from there. In cases like this, the first step is knowing that you’ve been pwned so consider step one accomplished.